6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21334

GHSA ID

GHSA-6g2q-w5j3-fwh4

EPSS Score

0.43586%

CWE

CWE-200

Published

1/31/2024

Updated

1/31/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21334

CVE-2021-21334: containerd environment variable leak

Impact

Containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared.

If you are not using containerd’s CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue.

If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue.

If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue

Patches

This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions as soon as they are released.

Workarounds

There are no known workarounds.

For more information

If you have any questions or comments about this advisory:

Open an issue
Email us at security@containerd.io if you think you’ve found a security bug.

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21334

GHSA ID

GHSA-6g2q-w5j3-fwh4

EPSS Score

0.43586%

CWE

CWE-200

Published

1/31/2024

Updated

1/31/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/containerd/containerd	go	>= 1.4.0, < 1.4.4	1.4.4
github.com/containerd/containerd	go	< 1.3.10	1.3.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability was fixed in containerd/cri#1628 and #1629 by modifying environment variable handling in container creation. The commit diffs show changes to environment variable initialization in container spec generation, specifically ensuring environment variables are appended to a new slice rather than potentially reusing a previous container's environment. The CVE description directly matches this code change pattern where environment variables from different containers could be mixed when sharing the same image.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Imp**t *ont*in*rs l*un**** t*rou** *ont*in*r*'s *RI impl*m*nt*tion (t*rou** Ku**rn*t*s, *ri*tl, or *ny ot**r po*/*ont*in*r *li*nt t**t us*s t** *ont*in*r* *RI s*rvi**) t**t s**r* t** s*m* im*** m*y r***iv* in*orr**t *nvironm*nt v*ri**l*s, in*lu*i

Reasoning

T** vuln*r**ility w*s *ix** in *ont*in*r*/*ri#**** *n* #**** *y mo*i*yin* *nvironm*nt v*ri**l* **n*lin* in *ont*in*r *r**tion. T** *ommit *i**s s*ow ***n**s to *nvironm*nt v*ri**l* initi*liz*tion in *ont*in*r sp** **n*r*tion, sp**i*i**lly *nsurin* *n

6.3

Basic Information

Concerned about an active attack path?

CVE-2021-21334: containerd environment variable leak

Impact

Patches

Workarounds

For more information

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI